Proxying Wayland for security

[Alyssa Ross]

Hi!  I'm Alyssa and I'm working on Spectrum[1], which is a project
aiming to create a compartmentalized desktop Linux system, with high
levels of isolation between applications.

One big issue for us is protecting the system against potentially
malicious Wayland clients.  It's important that a compartmentalized
application can't read from the clipboard or take a screenshot of the
whole desktop without user consent.  (The latter is possible in
wlroots compositors with wlr-screencopy.)

So an idea I had was to was to write a proxy program that would sit
in front of the compositor, and receive connections from clients.  If
a client sent a wl_data_offer::receive, for example, the proxy could
ask for user confirmation before forwarding that to the compositor.  

I could just implement this stuff in a compositor, but doing it with a
proxy would mean that a known subset of the protocol could be used
with any compositor, with appropriate access controls.  It would also
be a reusable component that could be customised to have different
access control policy depending on the needs of a distributor or user.

Which brings me to the reason I'm bringing this all up on
wayland-devel.  I'd be grateful for any input about this idea,
especially:

 * Is this a sensible idea?  Is there something I haven't considered
   which would make this unworkable, and force me to do a
   compositor-specific implementation instead?

 * Is this something that would be likely to be generally useful,
   outside of our project?  Would it make sense as something to
   collaborate on / have as a freedesktop.org project?

[1]: https://spectrum-os.org/

Alyssa Ross
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20210727/05c8509f/attachment.sig>